How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Mobile App Security Checklist

Mobile apps that connect to backend-as-a-service platforms like Supabase and Firebase face unique security challenges. The app binary is distributed to untrusted devices, making it trivially easy for attackers to reverse engineer, tamper with, or intercept traffic. This checklist covers the key controls.

1. Secret Management in Mobile Apps

The most critical rule: never embed service-role keys, admin tokens, or server-side secrets in your mobile app binary. Tools like jadx (Android) and Hopper (iOS) can extract strings from compiled binaries in minutes.

For Supabase apps, only the anon key should be in the app. All privileged operations must go through Edge Functions or a server-side API that validates the user's JWT before acting.

For Firebase apps, the API key is designed to be public but must be restricted in the Google Cloud Console with app attestation (SHA-256 fingerprint for Android, bundle ID for iOS).

// WRONG: service-role key in React Native code
const supabase = createClient(url, 'eyJhbGci...service_role_key...');

// CORRECT: anon key only, rely on RLS
const supabase = createClient(url, 'eyJhbGci...anon_key...');

2. Secure Token Storage

On iOS, use the Keychain Services API to store authentication tokens. Never store them in UserDefaults or plain files.

On Android, use the EncryptedSharedPreferences from the Jetpack Security library, or the Android Keystore system for cryptographic keys.

// Android: EncryptedSharedPreferences
val prefs = EncryptedSharedPreferences.create(
    "secure_prefs",
    masterKeyAlias,
    context,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
prefs.edit().putString("access_token", token).apply()

3. Transport Security

Enable certificate pinning for connections to your BaaS backend. This prevents man-in-the-middle attacks even when the user has installed a custom CA certificate (common on corporate or compromised devices).
Ensure NSAppTransportSecurity (iOS) does not have NSAllowsArbitraryLoads set to true in production.
On Android, use a network_security_config.xml to enforce TLS and configure pins.

4. App Attestation

Enable Firebase App Check (with Play Integrity for Android and DeviceCheck/App Attest for iOS) or equivalent attestation to prevent automated scripts from impersonating your app.

Without attestation, an attacker can extract your API key and make direct API calls from any HTTP client, bypassing any client-side logic.

5. Code Obfuscation and Tamper Detection

Android: Enable R8/ProGuard minification and obfuscation in release builds. Use integrity checking libraries to detect if the APK has been repackaged.
iOS: Enable bitcode if supported, use App Store distribution (which adds DRM), and consider third-party integrity SDKs.
React Native / Flutter: Be aware that JavaScript bundles and Dart snapshots can be extracted. Use Hermes bytecode (React Native) and obfuscation tools.

6. Pre-Release Reverse Engineering Test

Before releasing, run your own APK or IPA through reverse engineering tools:

# Android: Decompile and search for secrets
jadx -d output/ app-release.apk
grep -r "supabase\|firebase\|api_key\|secret" output/

# iOS: Use class-dump or Hopper Disassembler
class-dump -H App.app -o headers/

Fix any secrets, debug endpoints, or internal URLs that appear in the output.

7. Deep Link Validation

Malicious apps can register the same URL scheme and intercept deep links. Use Universal Links (iOS) and App Links (Android) with domain verification instead of custom URL schemes. Validate all parameters received through deep links before processing them.

8. Data Leakage Prevention

Disable app backups (Android android:allowBackup="false") or encrypt backup data. Backups can contain cached tokens and user data.
Strip EXIF metadata from uploaded images, which can contain GPS coordinates.
Clear sensitive data from pasteboard/clipboard after a timeout.
Disable screenshot capture on sensitive screens using FLAG_SECURE (Android) or hiding the view hierarchy on background (iOS).

Use AuditYour.app to scan your APK or IPA for embedded secrets and misconfigurations before every release.

Mobile App Security Checklist

Quick Checklist